Threat Lab

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Increasing Profits by Moving to the MSP Model

The benefits of adopting the managed service provider (MSP) business model are compelling. After all, predictable, recurring revenue; deeper engagement with clients; and a trusted advisor relationship that generates further business opportunities all sound like everything a successful services business could want. However, for some, it still means braving uncharted territory.

Important Considerations

IT solutions providers interested in switching to the MSP model face a number of decisions. Before you do anything else, you have to define your service offerings. There are so many companies who offer products in the primary MSP categories, so it’s important to take your time in performing a detailed analysis of the pros and cons of various products.

  • Automation
    Plain and simple, you need automation tools. These include professional services automation (PSA) and remote monitoring and management (RMM) software, which are the backbone of every MSP’s business. Pay close attention not to just features, but the pricing structure and integrations with the other tools you plan to use.
  • Timing
    Another challenge can be finding the right timing to migrate existing customers. The process of transitioning current customers can be a minefield of logistical issues, particularly if those customers purchased different products on a staggered schedule. In those cases, you must consider not just what your full managed services offering will look like, but how to get existing customers onto a monthly bundle.
Differentiating Your Business

Remote monitoring is a standard part of the traditional MSP portfolio. Disaster recovery, such as a secure backup system, is also a leading service to pitch to customers, since disasters of all types can hit an organization at any time, and have the potential to cripple their business operations. So what’s going to make you stand out? You might not think so, but many MSPs are leading with another equally important service: endpoint security.

Computers, mobile devices, and servers will always need protection, but modern businesses face a variety of new challenges. Cybercriminals have only increased their efforts at causing mischief, launching new and creative ransomware with startling frequency at companies around the globe. Additionally, many organizations in the healthcare, financial, and retail segments have compliance mandates for handling sensitive data, which typically include endpoint security. In short, the time is right for starting a conversation about security.

Selecting Cybersecurity

The MSP model is about efficiency gains, so choose a provider that helps reduce your TCO. Look for a security offering that doesn’t need a local server, offers flexible monthly billing, and consider a solution that’s cloud-based so it won’t impact system performance. The security application you choose should be effective, lightweight, and have no noticeable impact when running.

Should disaster strike, it’s also very important to have a solution that can remediate systems automatically, reducing the burden on your IT staff. On the topic reducing burdens, the solution should also include PSA or RMM integration, or a management console that can automate routine tasks and give you the granular visibility you need to oversee all your customers in one place.

Making the Switch to the MSP Model

While adding managed services might seem daunting, it’s a powerful way for resellers to add new revenue streams to the business while transitioning into a hybrid or full MSP model. Keeping costs down on monthly contracts gives MSPs a big advantage today, and if the managed services model didn’t work for both customers and IT solution providers, it wouldn’t have seen the adoption and success it has experienced in recent years. Although the transition isn’t easy, it holds a lot of promise. IT solution providers in transition can rest assured that their best and most profitable years are ahead.

Read this case study to find out how SLPowers, an MSP managing 76 different companies with over 2,000 endpoints, got its start in the reseller realm, moved to managed services, and leveraged next-generation endpoint protection to improve customer satisfaction, lower costs, and increase profitability

Or, take a free, no-risk, no-conflict 30-day trial of Webroot SecureAnywhere Business Endpoint Protection with the Global Site Manager to see the solution SLPowers chose in action.

Satan: A new ransomware-as-a-service

Ransomware as a Service (RaaS) has been growing steadily since it made its debut in 2015 with Tox. With the new Satan service, it’s easier than ever. The idea is to use this web portal to contract threat actors to create new ransomware samples for distribution via the desired attack vector. This allows any potential cybercriminal, regardless of their skill or coding knowledge, to upgrade to an encrypting ransomware business model.

Satan - Image 1

Those who join the program have a number of viewing options in the portal. The Account panel shows various stats, including how much money has been made, infection count, current share percentage, etc.

Satan - Image 2

All a criminal needs to do is enter a few simple pieces of information to generate brand new malware that’s ready to infect victims. Note that the portal author specifically requests downloaded samples not be shared with VirusTotal, decreasing the likelihood that security vendors will have encountered the variant.

Since the darknet web portal creator takes a 30% cut of all ransoms, it’s in his best interests to make sure as many victims are infected as possible. He provides a guide with step-by-steps instructions on how to deploy malware using obfuscation techniques to avoid detection.

The author also advertises his web portal on underground forums, and explains the payload and the payout scheme. After all, affiliates’ success means he gets a bigger cut.

Although Webroot will catch this specific variant of ransomware as a service in real time before any encryption takes place, don’t forget that the best protection in your anti-ransomware arsenal is a good backup solution. You can use a cloud service or offline external storage, but keeping it up to date is crucial for business continuity.

For best practices for securing your environment against encrypting ransomware, see our community post.

 

 

Four Rising Stars on the Ransomware Stage

 

By now, everybody has probably heard of CryptoLocker. It makes sense that CryptoLocker would get a fair amount of media attention, since it’s been involved in several high-profile hacks, but there are a number of other players on the ransomware stage that deserve a place of distinction among the list of players. Managed service providers (MSPs) like you know the value of staying up to date on the variety of different types of threats—in addition to their individual stats and characteristics—to keep clients safe.

Cast of Ransomare Players
  1. CryptoWall 4.0 

    A bit like the Barrymores, the Sheens, the Coppolas, (the Kardashians?), the CryptoWall family gets more media coverage with every generation. Following in the family tradition, CryptoWall 4.0 uses phishing emails for distribution. This is hardly a surprise, since phishing is still the single most effective way to drop a malware payload. But CryptoWall 4.0 marches to the beat of its own drum; not only are the victim’s files encrypted, this ransomware randomizes the filenames so the victim can no longer tell which file is which. By fanning the flames to create confusion around how much file damage there actually is, the new CryptoWall increases its chances that victims will pay up.

    Additionally, CryptoWall 4.0 includes a free decrypt video to convince victims that the decryption steps they need to get their files back is effortless, and that handing over the ransom will get them their files back.

    • Phishing email attachment is source of payload
    • Randomizes victim’s filenames to create confusion
    • Offers free decrypt demo to add credibility
  2. PadCrypt 

    Rather than hiding out and concealing its plans, what makes PadCrypt different from its contemporaries is its willingness to interact with the public. Embedded into the “product”, PadCrypt includes a chat interface. The ransom process of setting up a Bitcoin wallet, filling it with bitcoins, and sending payment can be complicated. By offering this chat feature, PadCrypt lends a more human support element to the ransomware process, providing so-called support to its victims. (How sweet!)

    • First ransomware with chat support
    • Communicates via Darknet to avoid being traced
    • “Helps” even less savvy victims pay up
  3. TeslaCrypt 

    Because it targeted gamers specifically and encrypted the files they need for their games, TeslaCrypt is more of what you’d call a cult fave. The files it takes hostage included saves, mods, and profiles. But since TeslaCrypt was being sold by non-authors on the Darknet, the original authors leaked the master decryption key to the public to permanently diffuse the threat. While it’s laying low for now, we wouldn’t be surprised if TeslaCrypt showed up again next season.

    • Accounted for ~11% of distributed ransomware
    • Attacked over 200 extensions on newer variants
    • Targeted gamers (Valve, Bethesda, Unreal Engine files)
    • Circumvented 3rd party defense to deliver polymorphic payloads at root level
  4. RaaS (Ransomware-as-a-Service) 

    Not an actor, per se, but RaaS is more like a local theater company that encourages audience participation. Created for criminals by criminals, it opens up the ransomware stage to hackers of all skill levels. Thanks to RaaS, almost anyone can distribute encrypting ransomware payloads of their own design. In return, hackers pay for the service by sharing a cut of their spoils with the original author.

    • Enables almost anyone to make ransomware
    • Portal for malware generation is exclusively in Darknet (typically invite-only)
    • Intended for less-skilled cybercriminals who rent botnets
    • The malware author who created the portal takes a commission
 Conclusion

Even though the number of ransomware stars keeps growing, and their methods keep getting more diverse and advanced, managed service providers (MSPs) can take steps to maximize defense and help clients stay ahead. Keeping yourself and your customers in the know about the latest tactics and types of exploits favored by today’s ransomware is vital—as well as putting together an all-star cast with next-generation endpoint protection that utilizes collective threat intelligence to proactively protect against the rising stars of malware.

Next Steps: Want to find out if Webroot has what it takes to protect your customers? See for yourself with a no-risk FREE trial. You don’t even have to uninstall existing security. Want to learn more about how Webroot partners with MSPs to delight customers, lower costs, and boost profits? Learn more.

MSPs Won’t Believe What Ransomware is up to Now…

Did we get you to click? That’s how the bad guys get you, too. One little click on the wrong link and your clients’ businesses could be up the proverbial creek.

Theft only comprises one aspect of the activities cybercriminals undertake, but it’s a sizeable chunk of their enterprise. What’s worth noting is what the thieves are stealing. The majority of cybercrime is focused on stealing data with the intent of selling it for profit to a third party, but what keeps one little malware family in the headlines is how differently it plays the game. In a recent conversation between Webroot Chief Technical Officer and rocket scientist Hal Lonas and Penton Technology Market Analyst Ryan Morris, we can see how ransomware is rewriting all the rules.

During the discussion, Lonas noted, “the bad guys used to want your data because it was valuable to them. If [they] could get your credit card number or your identity or a secret from your company, [they] could go sell that.”

When Morris asked what makes ransomware different, Lonas had this to say: “The interesting thing about ransomware is that criminals are now saying, ‘Your data is valuable not to me, the bad guy, but to you. How much is your data worth to you?’ They’re betting that you don’t have any backup and protection in place, so their angle is to take your data and hold it for ransom until you decide what the value is, and then you pay them.” So, while conventional security threats may steal information to sell down the line, what sets ransomware apart is that it seeks to extort money from the victimized company itself.

Morris responded that he’s heard about modern companies with robust security operations run by professional in-house InfoSec teams who, as recently as this year, have paid ransoms. “That blew my mind,” he stated. “I, perhaps naively, thought we’d solved these types of problems.”

Layered Security is the Game Changer in Fighting Ransomware

The question is: if even large businesses with high-powered, fully-staffed dedicated IT departments are having a hard time with these threats, what hope do smaller businesses and the managed service providers (MSPs) they trust to secure them have to fight back against ransomware?

Morris raised the questions, “How can we win the battle in the ransomware universe? What preventive steps should we take, and what ongoing measures should MSPs and end users implement to protect themselves from ransomware threats?”

Lonas cited these key strategies for a solid cybersecurity defense:

“Investing in backups and data security is of paramount importance. That’s hardly new advice. It applies to everything from business security to homeowner’s insurance. But, with a threat like ransomware on the loose, it’s more crucial than ever to make sure our data is securely backed up and that we can recover it quickly, easily and in its entirety. We also have to test the backups; spend a little extra time and money verifying that the recovery systems are going to work.

“From there, we need to make sure we have a multi-level security approach in place. We’ve talked about this for years—the layered security approach—to ensure that malware and other types of breaches don’t get through, and each new attack vector can mean a new layer. Sometimes this causes redundancy, but as long as the various layers work in harmony, they provide comprehensive security that can prevent breaches. Firewalls, next-generation firewalls, web filtering, proxies, VPNs… we have to ensure all of those protection layers are deployed.”

As he continued, Lonas made sure to emphasize the importance of endpoint security. “We have to have world-class endpoint security on all of our machines: the Windows machines, the Apple machines, and the mobile devices, including bring-your-own-device.” According to Lonas, every device that could conceivably connect to a network needs protection so that it doesn’t become the gateway for cybercriminals to infiltrate an organization.

The More Your Clients Know…

Finally, user education is critical. Lonas concluded his recommendations by stating that users need to be aware of the types of threats they’re going to face, the various kinds of phishing attacks, fake messages, emails, and even phone calls they might get from people claiming to be tech support personnel who just need a password to make a quick update. “Bad guys are always figuring out new ways to get to us,” he warns. “The combination of layered security that covers all potential threat vectors, solid backup and recovery strategies, and user education is the only way companies can protect themselves, their employees, and their customers from ransomware.” Existing Webroot MSPs can take advantage of the tools and content available in the ChannelEdge Toolkit and use it educate and inform their clients on threat protection and industry best practices.

Get Ready, Get Set, Take Action

Adopt a next-generation endpoint security solution that uses advanced behavioral technology and real-time detection to keep users safe. Take a 30-day FREE trial of Webroot SecureAnywhere® Business Endpoint Protection—no risk, no obligation to buy. You don’t even have to uninstall existing security.

RDP Attacks: What You Need to Know and How to Protect Yourself

For many years now, Microsoft has offered a system with Windows that allows you to take control of another machine. This has been invaluable for system admins that need to control servers and other Windows machines, without having to run around from office to office or site to site. Easy takeover of machines does come with risks. The protocol known as Remote Desktop Protocol (RDP) and the Remote Desktop Connection software that relies on it are often victims of simple attacks. These attacks have been on the rise in recent years and are extremely popular at the moment, as they are enticing for cyber criminals that seek to compromise the admins and machines that control whole organizations.

How is Remote Desktop Protocol a security risk?

RDP often uses a particular port that is easy to locate in a scan. And unfortunately, the default account username for an admin is often Administrator. While it’s no secret that having a poor password policy is not ideal for server security, it’s worth reiterating here it can mean that hackers can try huge amounts of passwords before anyone is alerted or an account is locked out.

Once an intruder gets admin access, they can deliver specialized malware or remote access tools that can often be almost impossible for any security solution to detect. With admin privileges and route access to the desktop, maximum damage can be done. This stresses the importance of endpoint protection, as well as policies, monitoring, logging, backups and incident response.

How to protect & secure your organization from Remote Desktop attacks

Preventing such brute force attacks isn’t as complicated as it may seem. You can employ a few easy actions to keep your organization safe:

Prevent scanning for an open port

  • Change default RDP port from 3389 to another unused port
  • Block RDP (port 3389) via firewall
  • Restrict RDP to a whitelisted IP range

Prevent attackers from gaining access if RDP is enabled

  • Create a Group Policy Object (GPO) to enforce strong password policy (GPOs are important and should be common practice for your organization)

Optional

  • Require two-factor authentication

Getting to the bottom of suspicious activity is vitally important and our team is here to help. Contact us today or learn more about our full suite of business cybersecurity solutions.

DDoS attack on Dyn cripples the internet

 

A portion of the internet went down after suffering a crippling blow from a series of global attacks on a cloud-based Internet Performance Management (IPM) company, called Dyn. Major websites including Twitter, Reddit, Spotify and even game servers for Battle Field 1 have been affected.

This was all made possible by an unknown group of malicious actors that targeted a DDoS attack on a company called Dyn. Dyn provides an internet DNS system which allows users to connect to websites by routing a human readable internet address to their corresponding IP addresses. For example, http://webroot.com becomes: 66.35.53.194.

Dyn was being overloaded by requests from tens of millions of IP addresses all at once, causing their service to go down. Imagine a one-lane highway designed to handle the traffic flow of about 100 cars per hour. Then imagine that the same highway was suddenly riddled with over 10,000 cars. This would cause a bottleneck so severe, that the traffic would just stop. That’s essentially what happened Friday morning with Dyn.

The internet is a superhighway with destinations to a number of IP addresses rather than the actual domains of the websites. The issue is that there has to be a record of what websites and domains translate to what IP addresses. A Top Level Domain (TLD) provides that service, and they are the answer to the question of which name belongs to each IP address.

In this case, it’s been confirmed that an Internet of Things botnet, called Mirai, has been identified as a participant in the well planned and sophisticated attacks. The motive for this attack is only being speculated, given that the actual actors for the attacks have not yet surfaced or explained their intent.

Dyn has released an update on the DDoS event here, and you can subscribe for real-time updates on the status of the attack.

Source Code for Mirai IoT Malware Released

Recently, source code for the Internet of Things (IoT) botnet malware, Mirai, was released on hack forums. This type of malware was used last month in an historic distributed-denial-of-service (DDoS) attack against KrebsOnSecurity, which was estimated to have sent 650 gigabits per second of traffic from unsecured routers, IP cameras, DVRs and more to shut down the domain. Thanks to DDoS prevention measures by engineers at Akamai, the company protecting Krebs, the attack was unsuccessful; however, they report that this attack was nearly double the size of the largest one they’d previously seen.

Now that this malware is released publicly, we can expect to see more DDOS attacks coming from botnets such as unsecured routers and other IoT devices. For those wondering who would leave the default firmware username and password on their devices, the answer is “millions of people.” In fact, using Telnet alone (TCP/IP protocol for remote access), Mirai-author, Anna-senpai, reported “I usually pull max 380k bots.” It’s worth noting that many are saying Mirai wasn’t the only malware variant involved in the attack. Level 3 Communications reported that the Bashlight botnet may have played a part, as well.

How the Mirai attack worked

Mirai continuously scans the internet for IoT devices and logs into them using the factory default or hard-coded usernames and passwords.

Once infected, the devices connect to command and control servers to gather details of the attack and target. They then produce large amounts of network traffic—spoofed to look legitimate—at the target servers. With hundreds of thousands of these running in tandem, it’s not hard to shut down most sites. These devices-turned-botnet will still function correctly for the unsuspecting owner, apart from the occasional sluggish bandwidth, and their botnet behavior may go unnoticed indefinitely.

hack2

Infected systems can be cleaned by rebooting them, but since scanning for these devices happens at a constant rate, it’s possible for them to be reinfected within minutes of a reboot. This means users have to change the default password immediately after rebooting, or prevent the device from accessing the internet until they can reset the firmware and change the password locally. If you’re taking these steps, make sure to no longer use Telnet, FTP, or HTTP, and instead use their encrypted counterparts SSH, SFTP, and HTTPS.

The underlying problem is that IoT manufacturers are only designing the devices for functionality and aren’t investing in proper security testing. Right now, it’s up to the consumer to scrutinize the security on any devices they use. In the future, some kind of vendor regulation may be necessary.

Hack forums have removed the published code, but it’s still available here.

Protecting Against Emerging Ransomware

 

While ransomware has become a buzzword for some, cyber criminals have made it a lucrative business and one which they are constantly evolving. Each day, the Webroot BrightCloud® Threat Intelligence Platform monitors, classifies and scores 95% of the internet to discover 6,000 phishing sites and 80,000 variants of malware and PUAs.

According to Webroot’s latest research, more than 97% of threats are unique to a single endpoint making traditional signature-based antivirus underprepared and ineffective in protecting businesses against today’s threat landscape. In this podcast, Tyler Moffitt, Senior Threat Research Analyst for Webroot, joins Ryan Morris, contributing editor for Penton Technology, to explain the newest and most challenging forms of ransomware, such as malvertising. In addition, they dive into the latest threat trends and arm MSPs with tested and actionable suggestions to help protect themselves and their customers from becoming another statistic.

 

Penton Technology Podcast with Tyler Moffitt – Ransomware – Part 1


Penton Technology Podcast with Tyler Moffitt – Ransomware – Part 2

 

A Conversation with Hal Lonas about Threat Intelligence and Machine Learning

After sitting down with Hal Lonas to get a deeper look at the inner workings of Webroot, there was no questioning why he’s uniquely qualified to serve as the company’s CTO. And with machine learning getting thrown around as the hot new buzzword, it was refreshing to hear Hal’s down-to-earth perspective on motivations, ideas, solutions and what drives Webroot to continue innovating in the world of threat intelligence.

……………………………………………………………………………………


Tell me about your background. What led you to create BrightCloud?

I have been developing software products for years and got into the security software space as Director of Development with Websense in 2000. At the time, websites were being classified manually, even though the number of sites and security breaches were already increasing exponentially. It just seemed like the wrong way to solve the problem.

A few of us saw the trends of cloud computing, machine learning advances, and threat escalation as an opportunity to do things differently. So we dropped out of Websense and started BrightCloud, which was founded and architected on the belief that automated classification using machine learning and the scalability of the cloud was the only way to go.


BrightCloud technology does a great job in combatting today’s threats; dynamic ones that appear, damage, and disappear. Was it built with polymorphism in mind?

We actually didn’t build BrightCloud tech with polymorphic or transitory malware in mind. We built it to bring incredible speed, scale, and flexibility to finding threats. So when polymorphism came to the forefront several years ago and started overwhelming traditional signature-based solutions, we were at the right place at the right time. There are many other security problems that BrightCloud technology solves based on the architecture and platform we’ve built, for example finding phishing and fraudulent sites in real time.

You also have to credit Webroot’s vision in combining cloud-based endpoint security with Webroot threat intelligence. Webroot endpoint technology was designed from the ground up to be cloud-based and globally scalable, to minimize the time from threat detection to global protection. Additionally, Webroot had the guts to transform the product and the company from a traditional antivirus offering to a platform-based service approach. That’s a key aspect to the entire ecosystem we protect.


How is your approach to threat intelligence different from most?

Well for one thing, we don’t generate white lists, black lists, or static feeds of data. You could use our data in that way, but the threat landscape is way too big and dynamic for that, and we offer so much more. As soon as you publish a list, it’s out of date. Security professionals need a service where they can ask questions and get security advice at the moment of truth, which is just before you click on a website, before your firewall accepts a connection from an unknown IP, or before you run that downloaded file or mobile app. That’s what we do with the BrightCloud system at Webroot. And that’s what gives our products and partners protection no one else can provide.

The way our technology works, everything on the internet has a reputation score somewhere between totally trustworthy—so a score of 100—down to clear and present danger scores of single digits. That allows our customers to set a risk threshold for activity they want to allow or block, and decide when to warn users. That’s a very different approach than others in the field are taking. When we say ‘actionable threat intelligence’, that’s what we mean; we inform critical decisions at the moment of truth billions of times every day.


What approaches do you think cybercriminals will be using in the future?

Ransomware has been very successful, so I think we’re going to see more of that. The bad guys are going to find areas where we are lazy in protecting ourselves and they’re going to exploit those weaknesses. We might find things like demands of payments simply not to attack us, almost like extortion for so-called protection.

Besides security, we might also find other business areas where we’ll be forced to improve, like getting rid of passwords for authentication, and making data backups easier and testing them to see if they work.

Also, as legacy operating systems from Microsoft, Apple, and Google get more secure, attacking them will become less easy and profitable. That means the bad guys are going to look at other areas to attack, like newer home and business devices connected to the internet. We describe this as the new and expanding attack surface area.

As more new products and devices get added to networks, it seems as if those products are being rushed to market and that security is an afterthought. In a lot of cases, many times not in the product at all when it’s released.


We observed in our quarterly threat brief that malware attacks have actually gone down in the past few months. Does that mean that the overall threat level is decreasing?

There may be a number of contributing factors here. Based on what we’ve observed, our impression is that even if there are fewer attacks, they’re more impactful. For example, a single organization hit by ransomware may struggle for days or weeks trying to recover or decide whether they should pay. Additionally, cybercriminals are taking time to regroup as security solutions get smarter and as more threats are stopped earlier by machine learning and automation. As the bad guys figure out their next move, we’ll see threats take off again, most likely in new areas.


Can machine learning help combat the threats that are keeping you up at night?

Absolutely. Not only can it help, but we believe it’s the only way to solve the growing threat problem, which is why our next quarterly threat brief will focus specifically on machine learning. Of course you have to be smart about it, and threat researchers and analysts are still key parts of the puzzle, but we’ve figured out how to leverage and amplify their knowledge and productivity a thousand-fold. As threats become more transitory and harder to find, humans are going to be even more overwhelmed and won’t be able to keep up without automation.

Threat Recap: Week of September 5th

 

There’s a lot that happens in the cybersecurity world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.


No Site is Immune to  User Information Exposure

In yet another example of poor cybersecurity, Brazzers has issued a statement regarding the unauthorized access to nearly 800,000 sets of usernames, passwords, and email addresses. The data itself lacked any encryption and was viewable in plaintext. Users of the Brazzers forums are being suggested to change their passwords for the site, as well as any sites they may have reused the password on.

Dridex Adds Crypto-Currency Wallets to Attack Vector List

While Dridex, a prolific banking trojan, has been laying low for the past several months, its authors have made significant changes. The first noticeable change is the addition of several crypto-currency wallet managers to its list of keyword searches done when infecting a new computer. By capturing and analyzing data from the infected computer, the command-and-control servers are able to make decisions on how to proceed based on the criteria that is met.

Russian Instant Messaging Service Breached

It was recently announced that over 33 million user accounts from QIP.ru, a Russian instant messaging service, had been illegally accessed and posted publicly. Unfortunately for users of the service, all of their information was unencrypted, leaving it accessible to anyone. After further analysis of the stolen data, it has again been proven that users pick amazingly simple passwords that are also used by thousands of other individuals.

Google to Begin Marking HTTP Sites As Unsafe

In a push to get all website owners to use HTTPS, Google has announced that starting in January of 2017, Google Chrome will begin flagging sites that transmit passwords or credit card information over HTTP. With this effort, Google hopes to make Internet transactions safer. Already they have had a significantly positive response with many of their top 100 sites switching to HTTPS as default.

Cybersecurity Lacking for High-Demand Devices

As we expand further into internet-connected, wearable devices, one commonality has become glaringly obvious–cybersecurity has been a low priority for many companies. As they rush to push these devices to market, there is a lack of significant testing done to ensure customers’ private information is safe. Even more worrying is this security void when it comes to connected systems in homes, as physical security for clients can be breached wirelessly if the connected system is simply shut off.

Threat Recap: Week of August 29th

 

There’s a lot that happens in the cybersecurity world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.


European Company Loses Millions in Targeted Phishing Scam

In the last couple weeks, Leoni AG, one of the largest electrical wiring companies in Europe fell victim to a Business Email Compromise (BEC) scam involving the CFO transferring a significant sum of money to a non-verified bank account. This location was likely the main target due to it being the only one of four factories that has the authorization to transfer money, and did so by spoofing an email to the companies CFO with very specific details about their internal transfer protocol, and “sent” from one of the company’s higher ranking executives.

Hotel & Restaurant Chain Warns of Jeopardized Payment Terminals

Recently, Kimpton Hotels has issued a statement that verifies the presence of malware on payment processing devices in over 60 of their locations across the country. It is believed that credit cards used at these locations in the first half of 2016 may be compromised and should be monitored for illicit transactions taking place. While the incident is still under investigation as yet another victim in a long line of large-profile targets, Kimpton officials are still unclear on the source of the breach.

Blizzard and EA Face DDoS Attacks during Releases

With the launch of the latest World of Warcraft expansion, Legion, occurring in the same week as the online-beta release of Battlefield 1, it comes as no surprise that both companies were in a prime position for a cyberattack. Unfortunately, that’s just what happened, as both companies were hit with DDoS attacks that brought several servers down for a period, and affected latency for many gamers trying to access the games upon availability.

NHS Hospitals Hit with Ransomware, Not Paying Up

In a recent study done of nearly 60 NHS institutions in the UK, over half had been the victims of at least one ransomware attack in the last year, though none had resulted in the ransom being paid. Of the hospitals that were affected, the vast majority were able to recover their encrypted data by restoring from backups that are created and stored internally. While ransomware is continuing its spread across the globe in search of easy targets, the best defense is still to have full backups of sensitive information and be prepared for what has become an inevitability for many organizations.

Hacker Exposes Poor IT Security of Kuwait Auto Import Company

While many hackers are on the lookout for a quick payday, or simply to prove they have the capabilities, one hacker has made his mission to teach poor IT admins a lesson. By breaching the Kuwait Automotive Import Company’s main site and obtaining sensitive details on over 10,000 customers, the hacker has definitely sent a message on the importance of strong cybersecurity. After the breach took place, the entire data dump was posted to pastebin, where it remains readily available to the general public.

Nemucod Ransomware Analysis

Today, we’ll look at yet another variant in the massive crop of malware that takes users’ files hostage: Nemucod ransomware.

Nemucod is a ransomware which changes file names to *.crypted. While it’s not a brand new variant, a lot has changed in the last few months, and different methods have been used, but one constant has remained the same – it is deployed via bogus shipping invoice spam email. The Javascript initially received in a spam email downloads malware and encryption components stored on compromised websites. Because this ransomware is written in a scripting language, it’s easily to modify and re-deploy. This has, for a majority, bypassed antivirus protection and spam email protection. However, a flaw was found in the encryption routine,which allows victims to recover their files.

  • January 2016: Nemucod changes file names to “.crypted” but does not actually encrypt them
  • March 2016: Adds XOR encryption using a 255 byte key contained in a downloaded executable. This downloaded executable encrypts the first 2048 bytes of a file
  • April 2016: 7-Zip used instead which created an archive to password protect files
  • April 2016: Instead of a hardcoded key, the Javascript generates a key and passes it as an argument to the downloaded executable and performs the encryption of the first 1024 bytes of each targeted file
  • May 2016: A small change is added to the previous build, which encrypts 2048 bytes instead of 1024 bytes
  • June – August 2016: A PHP script is used along with a PHP interpreter to encrypt the first 1024 bytes of a file

Email Example:

 

 

 

 

 

 

 

 

After opening the spam email attachment, you can see that the file located inside is a Javascript file cleverly disguised as a “.doc”. The file appears to be a .doc for users with the folder option setting “hide extensions for known file types” enabled.

Javascript Analysis:

Upon first opening the sample, it is heavily obfuscated; this is by design to thwart AV analysis and static detection

Nemucod Java

After de-obfuscating the script, I found that several compromised domains are used to store multiple files to be used later on in the execution routine. Of the downloaded files, we can see that two (a1.exe and a2.exe) are designed as a backdoor on the system. a1.exe is usually W32.Kovter and a2.exe is usually W32.Boaxxe. Since PHP is not installed natively on the Windows OS, the 3rd and 4th files downloaded (a.exe and php4ts.dll) are part of a portable PHP interpreter which allows the ransomware (a.php – 5th file downloaded) the ability to run.

Nemucod Java 2

Nemucod Java 3

Analysis of a.php:

We at first saw several samples of a.php written in plain text without obfuscation, but the developers changed this quickly to thwart static detection techniques. The obfuscation techniques below use chr() to encode each as a number specified in ASCII, while also using array() to store the php script in a list of array values.

Examples of Obfuscated ransomware variants:

chr()

Nemucod chr

To de-obfuscate, I converted all of the chr values to ascii characters and finally decoded base 64 stored to get the original script.

Array()

Nemucod Array

To de-obfuscate, I echoed the output of implode for all of the arrays (and removed eval) using the following at the end of the script:

;echo implode($f,”); ?>

De-obfuscated:

Nemucod php

The PHP script first uses “set_time_limit(0);” to keep the interpreter running.

A recursive Tree function is used with preg_match to match folders:

winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming|msoffice|temporary|cache

If a match is found, the script opens the directory and checks for more directories using is_dir; if a directory is found, it runs TREE again, which continues the loop to check if the object is a folder or a file.

Once a file is found, it uses preg_match again to match its file extension:

zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip|arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps|sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php|pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv|tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb|slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf|wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi|vmdk|vhd|dsk|img|iso

Once a file matching the file extensions above is found, it stores that file name and path as the variable “$fp” and a new variable is made “$x” which uses the function fread.

fread() reads up to length bytes from the file pointer referenced by handle.

After reading the first 1024 bytes of a file, a for loop is used with strlen and the variable $k (a base 64 string) to encrypt the files.

 

If you have found yourself a victim of this ransomware, please submit a support ticket.